Mailinglist Archive: opensuse-security (520 mails)

< Previous Next >
Re: [suse-security] Password Encryption
  • From: Boris Lorenz <bolo@xxxxxxx>
  • Date: Wed, 10 Jul 2002 12:23:38 +0200
  • Message-id: <3D2C0B2A.C9C09042@xxxxxxx>
Yuppa,

Christian Röpke wrote:
[...]
> ok, but if we knows, that there is a way to crack the shadow file, why
> don't we use a secure algorithm ? (triple DES or AES) Are there no
> implementation for this algorithms ?
> (a DES cracker-maschine costs about 100.000 $)

because it's not in the current security focus anymore. Of course there
are still ppl who conduct massive brute-force/dictionary/leaking attacks
against servers, but this also leaves a comparably big audit trail in
the system; in most Linux (and Unix) distros/derivates, failed login
attempts will logged to a file, say /var/log/messages or whatever your
mileage may be. Even very dumb/uninspired admins would notice this. I
don't say that they'd do something against it, but they sure would
notice it... |-)

The *real* problem are clear-text passwords, as used in telnet, ftp,
pop3, etc. Most attackers would not go the hard and tedious way of
feeding a 100 MB dictionary with even more strange words and phrases in
order to find a couple of lousy passwords for some pop3 accounts, all
they would have to do is to abuse one of the many obvious and
not-so-obvious flaws of demons/servers, apps or protocols, get into the
machine, install a sniffer, and finally harvest the passwords for an
easy return to the victim system. If I got you right, you haven't
implemented any deeper security on your system(s), so there we go...

If an attacker would be able to get your shadow and passwd, you would
have more to worry about than the question wether your password salts
are DES (=crap) or 3DES (=triple crap) encrypted.

Boris
---

< Previous Next >
References